Don’t Blame the Cloud for HIPAA Violations

As mentioned, more than once, in previous posts, a lot of health care providers hesitate to use cloud storage for electronic health records (EHR) because they believe that putting EHRs in the cloud would make them more vulnerable to hackers. Because EHRs also contain personal information such as home addresses and Social Security numbers, this is a legitimate concern. But according to a recent report posted on the U.S. Department of Health and Human Services (HHS) website, hackers are the least of doctors’ worries when it comes to Health Insurance Portability and Accountability Act (HIPAA) violations and other patient privacy issues.

The HHS report details breaches that affected more than 500 people. Topping the list is theft, loss, and unauthorized access or disclosure. Since one incident, which affected more than 7,600 people, involved a stolen laptop, this is a good place to stress the importance of employee training. Teaching employees how to avoid having their laptops stolen, how to encrypt and password protect documents, and how to password protect their laptops could spare a lot of people a lot of pain and suffering. For example, just teaching an employee how to always lock or log off of his computer when he needs to walk away from it is a start. The next step is to teach each employee how to create complicated passwords to protect not only their laptops, tablets and smart devices but also the files within them.

It’s not pleasant to consider that the majority of HIPAA violations that appear on the HHS report weren’t committed by anonymous hackers sitting at computers far, far away. Instead, they were committed by unscrupulous or untrained individuals right here in the U.S. That doesn’t mean that health care organizations should disregard hacking. On the contrary, one hacking incident that occurred in November 2010 affected close to 160,000. Having a team of managed IT services professionals monitoring its network doesn’t guarantee that a health care organization won’t get hacked, but it could certainly increase the odds of catching the breach before too much damage has been done. Hacking is definitely a threat. But so are human ignorance and nefariousness.

Instead of fearing the cloud and cloud storage, health care providers and administrators could instead turn their focus toward teaching the ignorant how to safeguard themselves against the nefarious. In three instances that affected hundreds of thousands of people, hard drives were stolen. There’s not a lot you can do to prevent a determined thief from stealing a vehicle. On the other hand, if all the data on the hard drives had been transferred to a remote server or cloud-based storage location, the damage could have been minimized. The health care organization would have been out of valuable hardware, but its patients’ EHRs would have been safely stored elsewhere.

Sometimes, even when you do everything right, bad things happen. Systems get hacked. Vehicles get stolen and, as a consequence, everything in them gets stolen, too. But if health care employees get proper training that’s updated and repeated regularly, some of the breaches, like those that occurred as the result of lost or stolen laptops, could end up happening less often.